WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/19/2017 01:19:20 PM (3 years ago)
Author:
johnbillion
Message:

General: Add missing URL-encoding and add extra hardening to plugin and template names when they're displayed in the admin area.

Merges [41434] with changes to the 4.3 branch.

See #13377

Location:
branches/4.3
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.3

  • branches/4.3/src/wp-admin/theme-editor.php

    r32974 r41444  
    6969    $file = $allowed_files['style.css'];
    7070} else {
    71     $relative_file = $file;
     71    $relative_file = wp_unslash( $file );
    7272    $file = $theme->get_stylesheet_directory() . '/' . $relative_file;
    7373}
     
    126126<?php endif;
    127127
    128 $description = get_file_description( $file );
     128$file_description = get_file_description( $relative_file );
    129129$file_show = array_search( $file, array_filter( $allowed_files ) );
    130 if ( $description != $file_show )
    131     $description .= ' <span>(' . $file_show . ')</span>';
     130$description = esc_html( $file_description );
     131if ( $file_description != $file_show ) {
     132    $description .= ' <span>(' . esc_html( $file_show ) . ')</span>';
     133}
    132134?>
    133135<div class="wrap">
     
    178180            echo "\t</ul>\n\t<h3>" . _x( 'Styles', 'Theme stylesheets in theme editor' ) . "</h3>\n\t<ul>\n";
    179181
    180         $file_description = get_file_description( $absolute_filename );
     182        $file_description = esc_html( get_file_description( $filename ) );
    181183        if ( $file_description != basename( $filename ) )
    182             $file_description .= '<br /><span class="nonessential">(' . $filename . ')</span>';
     184            $file_description .= '<br /><span class="nonessential">(' . esc_html( $filename ) . ')</span>';
    183185
    184186        if ( $absolute_filename == $file )
Note: See TracChangeset for help on using the changeset viewer.